TechQA.

SCP - Deny all regions for all services except S3 and global services

91 views Asked by At

I want to create an SCP which denies the AWS account access to all Regions, except for the global services and S3 which should be allowed for only 2 regions.

I tried the following

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "NotAction": [
        <global_services>
        "s3:*",
      ],
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "aws:RequestedRegion": [
            <regions>
          ]
        }
      }
    }
  ]
}

Which restrict access to all resources except the one listed in NotActions, which is not what I want.

Doing the following

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "aws:RequestedRegion": [<regions>]
        }
      }
    }
  ]
}

Works, but only for S3 (meaning I can still create whatever other resources in other regions).

What would be the correct combination here?

amazon-web-services aws-organizations aws-scp
Original Q&A
0

There are 0 answers

Related Questions in AMAZON-WEB-SERVICES

Related Questions in AWS-ORGANIZATIONS

Related Questions in AWS-SCP

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions